Splunk Search

How to add column of last login date/time for Target users?

New Member

How can I add a column for my below search that displays a result for the Target_Account_Name's last login date/ time?

index=windows_sec "EventCode=630" OR "EventCode=4726" | eval "Time and Date"=strftime(_time, "%H:%M %Y/%m/%d") | table "Time and Date" "Target_Account_Name" "Caller_Domain" "ComputerName" "Caller_User_Name" | rename "Target_Account_Name" as "Username" "Caller_Domain" as "Domain" "ComputerName" as "Computer Name" "Caller_User_Name" as "Deleted By"

0 Karma

Revered Legend

Try something like this

index=windows_sec "EventCode=630" OR "EventCode=4726" "EventCode=528" OR "EventCode=4624"
| stats first(<<Field from "EventCode=528" OR "EventCode=4624" which have last login date>>) as last_login_date, first(<<other rqquired fields from  "EventCode=630" OR "EventCode=4726">> ... by Target_Account_Name

Assuming that Target_Account_Name is the common user name field for all these event codes.

0 Karma

New Member

Yeah both those event codes do have logs. Am I going to have to perform a join query for this then? I specifically need event code 630 and 4726 as they are event codes for deleted windows accounts.

0 Karma

Revered Legend

Does your logs contain entries with "EventCode=528" OR "EventCode=4624" ?? These entries contains successful login details and you can use those entries to get your last login date/time.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!